Use stronger SSL and TLS versions

Template for a good false-positive report, formatted with Markdown:

  • versions used (SonarQube, Scanner, language analyzer)
    SonarQube ID information
    Server ID: 69FF93D0-AXobHJEaf-WIDwV27NKO
    Date: 2021-09-09

Qube correctly identified the TLS < 1.2, but reopened the issue after fixed. The fixed and reopened sample, below.

  • minimal code sample to reproduce (with analysis parameter, and potential instructions to compile).

Wrap code around triple quote ``` for proper formatting

    curl_easy_setopt(curlHandle, CURLOPT_URL, url_.c_str());
    curl_easy_setopt(curlHandle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
    curl_easy_setopt(curlHandle, CURLOPT_CAINFO, "/etc/openvpn/cacert.pem");
    curl_easy_setopt(curlHandle, CURLOPT_NOSIGNAL, 1l); // don't use signals
    curl_easy_setopt(curlHandle, CURLOPT_FAILONERROR, 1l); // fail on any code >= 400
    curl_easy_setopt(curlHandle, CURLOPT_TIMEOUT, 900l); // 15 minute timeout
    curl_easy_setopt(curlHandle, CURLOPT_CONNECTTIMEOUT, 30l); // 30 second connection timeout
    curl_easy_setopt(curlHandle, CURLOPT_MAXCONNECTS, 1l); // only allow a single connection
    curl_easy_setopt(curlHandle, CURLOPT_NOPROGRESS, 0l);

Hi, @glennclapp and welcome!
I am one of the developers working on the implementation of the rule detecting weak SSL and TLS versions used in C sources.

I’m afraid I need more information to diagnose this issue. I tried to reproduce the issue, and I get no reports for the line curl_easy_setopt(curlHandle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);.

Here is how to generate a reproducer containing all the relevant information: the source files, compiler flags, environment variables:

  • Add the reproducer option to the scanner configuration:
    sonar.cfamily.reproducer= “Full path to the .cpp file that has or include the file that has the false-positive”
  • Re-running the scanner should generate a file named sonar-cfamily.reproducer in the project folder.
  • Please share this file. If you think this file contains sensitive information you can send it privately.

Hi @glennclapp
Let me know if the issue is still relevant to you. Otherwise, I will close the topic in 1 week.

4 posts were split to a new topic: Weak SSL and TLS versions used in C sources

A post was split to a new topic: FP: Use stronger SSL and TLS versions with curl_easy_init()